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Abstract 

We propose a monotonic logic of internalised non-monotonic or instant 
interactive proofs (LiiP) and reconstruct an existing monotonic logic of 
internalised monotonic or persistent interactive proofs (LiP) as a minimal 
conservative extension of LiiP. Instant interactive proofs effect a fragile 
epistemic impact in their intended communities of peer reviewers that 
consists in the impermanent induction of the knowledge of their proof 
goal by means of the knowledge of the proof with the interpreting re- 
viewer: If my peer reviewer knew my proof then she would at least then 
know that its proof goal is true. Their impact is fragile and their induc- 
tion of knowledge impermanent in the sense of being the case possibly 
only at the instant of learning the proof. This accounts for the impor- 
tant possibility of internalising proofs of statements whose truth value can 
vary, which, as opposed to invariant statements, cannot have persistent 
proofs. So instant interactive proofs effect a temporary transfer of certain 
propositional knowledge (knowable ephemeral facts) via the transmission 
of certain individual knowledge (knowable non-monotonic proofs) in dis- 
tributed systems of multiple interacting agents. 

Keywords: agents as proof- and signature-checkers; constructive Kripke- 
semantics; interpreted communication; multi-agent distributed systems; 
interactive and oracle computation; proofs as sufficient evidence. 

1 Introduction 

The subject matter of this paper is modal logic of interactive proofs, i.e., a 
novel logic of non-monotonic or instant interactive proofs (LiiP) as well as an 
existing logic of monotonic or persistent interactive proofs (LiP) [Kral2]. (We 

*Work funded with Grant AFR 894328 from the National Research Fund Luxembourg 
cofunded under the Marie-Curie Actions of the European Commission (FP7-COFUND), and 
finalised during an invited stay at the Institute of Mathematical Sciences, Chennai, India. 



abbreviate interactivity-related adjectives with lower-case letters.) The goal 
here is to define LiiP axiomatically and semantically as well as to reconstruct 
LiP as a minimal conservative extension of LiiP. So for distributed and multi- 
agent systems, whose states and thus truth of statements about states can vary, 
proof non-monotonicity (as in LiiP) is in a logical sense more primitive than 
proof monotonicity (as in LiP). In contrast, proof monotonicity is perhaps more 
intuitive than proof non-monotonicity within formal physical theories validated 
by experiment and surely within mathematical theories known to be consistent. 

Rephrasing [Mak05, Section 1.1] model-theoretically, the proof modality of 
LiiP internalises a non-monotonic notion of proof in the sense that it can happen 
that a proposition <f> can be proved with a (non-monotonic) proof M to an agent 
a in some system state s, but not anymore in some subsequent state s' in which 
a will have learnt additional or lost previously learnt data M'. See Appendix B 
for formal application examples. Like in LiP [Krai 2], we understand interactive 
proofs as sufficient evidence to intended resource-unbounded (though unable to 
guess) proof- and signature-checking agents (designated verifiers). 

Instant interactive proofs effect a fragile epistemic impact in their intended 
communities C of peer reviewers that consists in the impermanent induction of 
the (propositional) knowledge (not only belief) of their proof goal <j> by means 
of the (individual) knowledge of the proof (the sufficient evidence) M with the 
designated interpreting reviewer a : If a knew my proof M of cj> then she would 
at least then know that the proof goal <f> is true. By individual knowledge we 
mean knowledge in the sense of the transitive use of the verb "to know," here to 
know a message, such as the plaintext of an encrypted message. Notation: akM 
for "agent a knows message M" (cf. Definition 1). This is the classic concept 
of knowledge de re ("of a thing") made explicit for messages, meaning taking 
them apart (analysing) and putting them together (synthesising) . Whereas by 
propositional knowledge we mean knowledge in the sense of the use of the verb 
"to know" with a clause, here to know that a statement is true, such as that the 
plaintext of an encrypted message is (individually) unknown to potential adver- 
saries. Notation: K a (<fi) for "agent a knows that <fi (is true)" (cf. Fact 1). This 
is the classic concept of knowledge de dicto ("of a fact"). 1 (We distinguish in- 
dividual and propositional knowledge with respect to the "object" of knowledge 
[the known], i.e., with respect to a message and clause, respectively. However, 
individual as well as propositional knowledge can both be individual with re- 
spect to the subject of knowledge [the knower], i.e., an [individual] agent.) With 
respect to belief, propositional knowledge essentially differs in that it is neces- 
sarily true whereas belief is possibly false, as commonly known and accepted 
[MV07]. The epistemic impact of our instant interactive proofs is fragile and 
their induction of knowledge impermanent in the sense of being the case possi- 
bly only at the instant of learning the proof. This accounts for the important 
possibility of internalising proofs of statements, whose truth value can vary, such 
as statements about system states, which, as opposed to invariant statements, 

1 In a first-order setting, knowledge de re and de dicto can be related in Barcan-laws 
[KR10], 



2 



cannot have persistent proofs. Proofs must (not) prove true (false) statements! 
Standard examples of statements of variable truth value are contingent (e.g., 
elementary) facts (expressed as atomic formulas) and characteristic formulas of 
states [GO07]. 

In contrast [Kral2], the epistemic impact of persistent interactive proofs is 
durable in the sense of being the case necessarily at the instant of learning the 
proof and henceforth, where time can be present implicitly (such as here) or 
explicitly (in future work) . In other words, when a persistent proof can prove a 
certain statement, the proof will always be able to robustly do so, independently 
of whether or not more messages (data) than just the proof are learnt. 

In sum, our instant interactive proofs effect a transfer of propositional knowl- 
edge (knowable ephemeral facts) via the transmission of certain individual knowl- 
edge (knowable non-monotonic proofs) in multi-agent distributed systems. That 
is, L(i)iP is a formal theory of (temporary) knowledge transfer. The overarch- 
ing motivation for L(i)iP is to serve in an intuitionistic foundation of interactive 
computation. Sec [Kral2] for a programmatic and methodological motivation. 

1.1 Contribution 

Our technical contribution in this paper is fourfold. For LiiP, we provide an ad- 
equate axiomatisation of its oracle-computational and knowledge-constructive 
Kripkc-semantics, and a minimal conservative extension LiiP + with a single 
monotonicity axiom schema making LiiP + isomorphic to LiP. For LiP, we pro- 
vide a substantially simplified semantic interface and a slightly simplified ax- 
iomatisation, which is a nice side-effect of obtaining LiiP + . 

The Kripke-semantics for LiiP (like for LiP [Krai 2]) is knowledge-constructive 
in the sense that (cf. Fact 1) our interactive proofs induce the knowledge of their 
proof goal (say </>) in their intended interpreting agents (say a) such that the in- 
duced knowledge (K a (0)) is knowledge in the sense of the standard modal logic 
of knowledge S5 [FHMV95, MV07, HR10]. Note that our agents here are still 
resource- unbounded with respect to individual and propositional knowledge, 
though they are still unable to guess that knowledge. (Recall that S5-agents 
are resource-unbounded, i.e., logically omniscient.) Thus we give an epistemic 
explication of proofs, i.e., an explication of proofs in terms of the epistemic im- 
pact that they effect in their intended interpreting agents (i.e., the knowledge 
of their proof goal) . Technically, we endow the proof modality with a standard 
Kripke-semantics [BvB07], but whose accessibility relation we nrs t de- 

fine constructively in terms of elementary set-theoretic constructions, 2 namely 
as M^fi and then match to an abstract semantic interface in standard form 
(which abstractly stipulates the characteristic properties of the accessibility re- 
lation [Fit07]). We will say that mR^ exemplifies (or realises) mR^- (A simple 
example of a constructive definition of a modal accessibility is the well-known 
definition of epistemic accessibility as state indistinguishability defined in terms 

2 in loose analogy with the set-theoretically constructive rather than the purely axiomatic 
definition of numbers [Fef89] or ordered pairs (e.g., the now standard definition by Kuratowski, 
and other well-known definitions [Mos06]) 
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of equality of state projections [FHMV95].) Recall, set-theoretically construc- 
tive is different from intuitionistically constructive! The Kripke-semantics for 
LiiP is oracle-computational in the sense that (cf. Definition 3) the individual 
proof knowledge (say M) can be thought of as being provided by an imaginary 
computation oracle, which thus acts as a hypothetical provider and imaginary 
cpistemic source of our interactive proofs. The semantic interface of LiP here is 
simplified in the sense that we are able to eliminate all a posteriori constraints 
from the semantic interface in [Kral2] and thus to manage with only standard, 
a priori constraints, i.e., stipulations. 

1.2 Roadmap 

In the next section, we introduce our Logic of instant interactive Proofs (LiiP) 
axiomatically by means of a compact closure operator that induces the Hilbert- 
style proof system that we seek and that allows the simple generation of applica- 
tion-specific extensions of LiiP (cf. Appendix B). We then prove some useful 
(further- used) deducible laws within the obtained system. Next, we introduce 
the set-theoretically constructive semantics and the abstract semantic interface 
for LiiP, and prove the axiomatic adequacy of the proof system with respect 
to this interface. In the construction of the semantics, we again make use of a 
closure operator, but this time on sets of proof terms. Finally in Section 3, we 
reconstruct LiP as a minimal conservative extension of LiiP. 

2 Logic of instant interactive Proofs 

The Logic of instant interactive Proofs (LiiP) provides a modal formula language 
over a generic message term language. The formula language offers the propo- 
sitional constructors, a relational symbol ' k ' for constructing atomic proposi- 
tions about individual knowledge (e.g., akM), and a modal constructor ' :: ' 
for propositions about proofs (e.g., M :f a (f>). The message language offers term 
constructors for message pairing and (not necessarily, but possibly cryptograph- 
ically implemented) signing. (Cryptographic signature creation and verification 
is polynomial-time computable [KatlO]. See [Kral2] for other cryptographic 
constructors such as encryption and hashing.) In brief, LiiP is a minimal mod- 
ular extension of classical propositional logic with an interactively generalised 
additional operator (the proof modality) and proof-term language (only two 
constructors, agents as proof- and signature- checkers). Note, the language of 
LiiP is identical to the one of LiP [Kral2] modulo the proof-modality notation, 
which in LiP is ' : '. 

Definition 1 (The language of LiiP). Let 

• A =/= designate a non-empty finite set of agent names a, b, c, etc. 

• C C A denote (finite and not necessarily disjoint) communities (sets) of 
agents a e A (referred to by their name) 
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• A4 3 M ::= a | B | {[M]} a | (M,M) designate our language of message 
terms M over A with (transmittable) agent names a € A, application- 
specific data B (left blank here), signed messages {[M]} a , and message 
pairs (M, M) 

(Messages must be grammatically well-formed, which yields an induction 
principle. So agent names a are logical term constants, the meta-variable 
B just signals the possibility of an extended term language Ai, {[•]}■ with 
a e A is a unary functional symbol, and (•, •) a binary functional symbol.) 

• V designate a dcnumerable set of propositional variables P constrained 
such that for all a e A and M e M, (akM) e V (for "a knows M") is a 
distinguished variable, i.e., an atomic proposition, (for individual knowl- 
edge) 

(So a k • where a € A is a unary relational symbol.) 

• £. 9 <f> ::= P | -><j> | 4> A 4> \ M::^(j) designate our language of logical 
formulas <fi, where M ::^ <j> reads "M is a C U {a}- review 'able proof of 0" in 
that "M can prove <f> to a (e.g., a designated verifying judge) and this is 
commonly accepted in the (pointed) community C U {a} (e.g., for C being 
a jury)." 

Then LiiP has the following axiom and deduction-rule schemas, with grey- 
shading indicating the difference to LiP. 

Definition 2 (The axioms and deduction rules of LiiP). Let 

• r designate an adequate set of axioms for classical propositional logic 

• Ti := T U { 

— a k a (knowledge of one's own name string) 

— akM ^ ak{[M]} a {personal [the same a] signature synthesis) 

— a k {[M]} b — > a k (M, b) {universal [any a and b] signature analysis) 

— (okMAak M') oak (M, M') (hm]pairing) 

<j)')) -> ((M :: c a <j>) -> M 0') (Kripke's law, K) 
(akM-) 0) (cpistcmic truthfulness) 
((M,6)::g0) {[M]} a :: C b U{a} {akM A M :: c a , 

can prove 

(nominal [in 6] peer review) 

— (M ::^ uC (f>) — >• M ::^ (group decomposition) } 

designate a set of axiom schemas. 




5 



Then, 



= U„ eN CP(0), where for all T C C : 



ci°(r) := riur 
cr +1 (r) := cr(r) u 

{ <j>' | {<j>, <f> -S- <j)'} C Cl"(r) } U (modtts ponens, MP) 
{ M ::£(/> | </> € Cl"(r) } U (necessitation, N) 




(epistemic bitonicity) . 



We call LiiP a base theory, and C1(T) an LiiP-theory for any r C C. 

Notice the logical order of LiiP, which is, due to propositions about (proofs of) 
propositions, higher-order propositional. Further, observe that we assume the 
existence of a dependable mechanism for signing messages, which we model with 
the above synthesis and analysis axioms. In trusted multi-agent systems, signa- 
tures are unforged, and thus such a mechanism is trivially given by the inclusion 
of the sender's name in the sent message, or by the sender's sensorial impression 
on the receiver when communication is immediate. In distrusted multi-agent 
systems (e.g., the open Internet), a practically unforgea&Ze signature mecha- 
nism can be implemented with classical certificate-based or, more directly, with 
identity-based public-key cryptography [KatlO]. We also assume the existence 
of a pairing mechanism modelling finite sets. Such a mechanism is required 
by the important application of communication (not only cryptographic) pro- 
tocols [And08, Chapter 3], in which concatenation of high-level data packets is 
associative, commutative, and idempotent. The key to the validity of K is that 
we understand interactive proofs as sufficient evidence for intended resource- 
unbounded proof-checking agents (who are though still unable to guess), see 
[Kral2, Section 3.2.2] for more details. Next, the significance of epistemic truth- 
fulness to interactivity is that in truly distributed multi-agent systems, not all 
proofs are known by all agents, i.e., agents are not omniscient with respect to 
messages. Otherwise, why communicate with each other? So there being a 
proof does not imply knowledge of that proof. When an agent a does not know 
the proof and the agent cannot generate the proof ex nihilo herself by guessing 
it, only communication from a peer, who thus acts as an oracle, can entail the 
knowledge of the proof with a. That is, provability and truth are necessarily 
concomitant in the non-interactive setting, whereas in interactive settings they 
are not necessarily so [Krai 2]. In nominal peer review, "can prove" suggests the 
proof potentiality of (M, b) : "if a were to know, e.g., receive, (M, &)" (and thus 
know her potential interlocutor b's name). Whereas given {[M]} a to b, e.g., in 
an acknowledgement from a, "does prove" suggests the proof actuality of M : 
"a does know, e.g., did receive, (M, &)", otherwise a could not have signed M. 
See the proof of Corollary 4.5 for a semantic justification of the raison d'etre of 
b in (M, b). Then, the justification for the necessitation rule (schema) is that 
in interactive settings, validities, and thus a fortiori tautologies (in the strict 
sense of validities of the propositional fragment), arc in some sense trivialities 
[Krai 2]. To see why, recall that modal validities are true in all pointed models 
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(cf. Definition 6), and thus not worth being communicated from one point to 
another in a given model, e.g., by means of specific interactive proofs. (Nothing 
is logically more embarrassing than talking in tautologies.) Therefore, validities 
deserve arbitrary proofs. What is worth being communicated are truths weaker 
than validities, namely local truths in the standard model-theoretic sense (cf. 
Definition 6), which may not hold universally. Otherwise why communicate 
with each other? Finally, observe that epistemic bitonicity is a rule of logical 
modularity that allows the modular generation of structural modal laws from 
equivalence term laws (cf. Theorem 1). 

The grey-shading in Definition 2 indicates that the axioms and rules of 
LiiP differ from those of LiP in exactly Kripke's law, nominal peer review, 
and epistemic bitonicity (cf. [Kral2] and Section 3). In LiP, these three LiiP- 
laws correspond to the generalised Kripke-law (M (</> — > cf)')) — > ((M' f a (f>) — > 
(M, M 1 ) f a <f>'), (plain) peer review (M: c a <j>) -+ A beCu{a} ({[M} Q : C b u{a} (akM A 
M f a </>)), and epistemic aniztonicity "from akM ^ ak M' deduce (M' f a <j>) — > 
M f a <p v , respectively. The addition of the axiom schema 



(M:: c a 4>)^(M,M'):: c a 4> 



to LiiP will result in a logic LiiP + that is isomorphic to LiP (cf. Theorem 4). 
So in some sense, the essential difference between instant proofs (proofs for at 
least an instant) and persistent proofs (proofs for eternity) is distilled in this 
single additional law. Following Artemov in [Art08], this law can be interpreted 
as Lehrer and Paxson's indefeasibility condition for justified true belief [Kral2]. 
In sum, while both LiP-proofs and LiiP-proofs are indefeasible in the instant 
when they are learnt (they induce knowledge, not only belief), LiiP-proofs (LiP- 
proofs) are possibly (necessarily) (in)defeasible in the future of the instant in 
which they are learnt. 

Now note the following macro-definitions: T :~ aka, _L := -iT, <j> V <f>' :— 
^(j) A -.<£'), (f> -> 4>' := ^ V <j)', and <f> </>' := (<j> -> <j>') A ((/)' -> 4>). In the 
sequel, ":iff " abbreviates "by definition, if and only if" . 

Proposition 1 (Hilbcrt-style proof system). Let 

• * r-Liip 4> :iff if $ C LiiP then 4> G LiiP 

• 4> +lup 4>' :iff {4>} I-Lhp 4>' and W} ^uip 4> 

• 1-LiiP 4> :i ff ^LiiP <t>- 

In other words, l~Liip C 2 £ x L is a system of closure conditions in the sense of 
[Tay99, Definition 3.7.4]- For example: 

1. for all axioms <fi € Ti, 4> 

2. for modus ponens, {<f>, <f> — > 0'} h^ip <j>' 

3. for necessitation, {(f)} h Lii p M :f a (f> 
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4- for epistemic bitonicity, {akle a k M'} h Lii p {M :: c a 4>) O M' :f a <j>. 

(In the space-saving, horizontal Hilbert-notation "<& Klup <j)", $ is not a set of 
hypotheses but a set of premises, cf. modus ponens, necessitation, and epistemic 
bitonicity.) Then \~uiP can be viewed as being defined by a C\-induced Hilbert- 
style proof system. In fact CI : 2 £ — » 2 £ is a standard consequence operator, 
i.e., a substitution- invariant compact closure operator. 

Proof. Like in [Kral2]. That a Hilbert-style proof system can be viewed as 
induced by a compact closure operator is well-known (e.g., see [Gab95]); that 
CI is indeed such an operator can be verified by inspection of the inductive 
definition of CI; and substitution invariance follows from our definitional use of 
axiom schemas. 3 □ 

Corollary 1 (Normality). LHP is a normal modal logic. 

Proof. Jointly by Kripke's law, modus ponens, necessitation (these by defini- 
tion), and substitution invariance (cf. Proposition 1). □ 

We are now going to present some useful (further- used), deducible structural 
laws of LiiP. Here, "structural" means "deducible exclusively from term axioms" . 
The laws are enumerated in a (total) order that respects (but cannot reflect) 
their respective proof prerequisites. The laws are also deducible in LiP, in the 
same order [Kral2]. (All LiiP-deducible laws are also LiP-deducible, but not 
vice versa.) 

Theorem 1 (Some useful deducible structural laws). 

1- l~LiiP a k(M,M') — > akM (left projection, 1-wayK-combinator property) 

2. h L iip a k (M, M ') -> a k M' (right projection) 

3. l~LiiP a k (M, M) HakM (pairing idempotency) 

4- I - LiiP a k (M, M') « ok (M 1 , M) (pairing commutativity) 

5- r-Liip (akM -> akM') -o- (a k (M, M') ^ akM) (neutral pair ele- 
ments) 

6. h Li ip a k (M, a) HakM (self -neutral pair element) 

7. h L iip a k (M, (M 1 , M")) oak ((M, M'), M") (pairing associativity) 
8- r-Liip ((M, M) ::£ 0) -o- M (proo/ idempotency) 

9. h L iip ((M, M') ::£ 0) «-> (M', M) ::£ (proo/ commutativity) 

10. {akM O akM'} h LiiP ((M, M') :: c a (f>) <-» M:: c a cj> (neutral proof ele- 
ments) 

3 Alternatively to axiom schemas, we could have used axioms together with an additional 
substitution-rule set { a[4>] | <f> 6 CP(r) } in the definiens of Cl n+1 (r). 
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11- l~LiiP ((M, a) ::£ ft) M :f a <f> (self-neutral proof element) 

12. h LiiP ((M, (M', M")) 0) <-> ((Af, M'),M") :: c a <f> (proof associativity) 

13. I^LiiP ({[-^]} a :: a ft) ^ M <f) (self-signing idempotency) 

Proof. Laws 1-7 and 13 are proved like in LiP [Kral2], as LiiP and LiP have 
identical term axioms. Law 8, 9, 11, and 12 follows immediately from Law 3, 
4, 6, and 7, respectively by epistemic bitonicity. For Law 10, suppose that 
h L iip akM -> okM'. Hence h Li i P ak(M,M') o akM by the law of neutral 
pair elements and propositional logic. Hence \~uiP (M,M') v? a <fi M :: c a <fi by 
epistemic bitonicity. □ 

Like in LiP [Kral2], the preceding 1-way K-combinator property and the 
following simple corollary of Theorem 1 jointly establish the important fact 
that our communicating agents can be viewed as combinators in the sense of 
Combinatory Logic viewed in turn as a (non-equational) theory of (message or 
proof) term reduction [HS08] . (The converse of the above K-combinator property 
does not hold.) 

Corollary 2 (S-combinator property). 

1. h LiiP a k ((M, M'),M") Hflk(M, (M", (M' , M"))) 

2. h LiiP (((M, M'), M") :: c a ft) (M, (M", (M', M"))) r c a <t> 

Proof. 1 follows jointly from idempotency (copy M'"), commutativity, and as- 
sociativity of pairing; and 2 follows jointly from 1 and epistemic bitonicity □ 

We are going to present also some useful (further-used) deducible logical laws 
of LiiP. Here, "logical" means "not structural" in the previously defined sense. 
Also these laws are enumerated in an order that respects their respective proof 
prerequisites, and are deducible in LiP in the same order [Kral2]. 

Theorem 2 (Some useful deducible logical laws). 

1. {(f> -> ft} h LiiP (M :: c a ft)^M :: c a ft (regularity) 

2. {akM O akM',0 -> ft} h LiiP {M :: c a ft) -> M' :: c a ft (biepistemic regul.) 

3. h Li ip ((M :: c a ft) A M :: c a ft) O M :: c a (0 A ft) (proof conjunctions bis) 
4- 1-LiiP {{M :: c a ft) V M :: c a ft) -> M :: c a (4> V ft) (proof disjunctions bis) 
5. hLiipM::^T (anything can prove tautological truth) 

6- l~LiiP ■■a U ^ bkM (authentic knowledge) 

7. h L iip M ::® akM (self-knowledge) 

8. h L iip (M ::£ uC ' ft) -> ((M :: c a ft) A M ::£' ft) (group decomposition bis) 
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9. h LiiP (M -.-.a <£) ^(M:: c a 4>) (self-neutral group element). 

10. h LiP M :: c a {{M:: c a <f>) -> </>) (self-proof of truthfulness) 

11- I^LiP M ::£ (->(M :f a _L)) (self-proof of proof consistency) 

12. h LiP (M (M :: c a (j))) -O- M ::£ (modal idempotency) 

Proof. Like in LiP [Kral2]. □ 

Like in LiP, the key to the validity of modal idempotency is that each agent 
(e.g., a) can act herself as proof-checker, see [Kral2, Section 3.2.2] for more 
details. 

We now continue to (re)present the constructive semantics for LiiP (cf. 
[Krai 2, Section 2.2]) and establish some important new and further-used results 
about it. The essential differences to the semantics of LiP are grey-shaded. 

Definition 3 (Semantic ingredients). For the knowledge-constructive model- 
theoretic study of LiiP let 

• S designate the state space — a set of system states s 

• msgs a : S -)• 2 M designate a raw-data extractor that extracts (without 
analysing) the (finite) set of messages from a system state s that agent a G 
A has either generated (assuming that only a can generate a's signature) 
or else received as such (not only as a strict subtcrm of another message); 
that is, msgs a (s) is a's data base in s 

• c\ s a : 2 M — > 2 M designate a data-mining operator such that cl*(£>) := 
cl a (msgs a ( S ) U V) := U„ eN <(msgs Q ( S ) U V), where for all V C M: 

cl°CD) := {a}UV 

cl n a +1 (V) := cl n a (V)U 

{ (M, M') | {M, M'} C cl"(X>) } U (pairing) 

{ M, M' | (M, M 1 ) e cl"(D) } U (impairing) 

{ {[M]} a | M e cl™(D) } U {personal signature synthesis) 

{ (M,b) | {[MJ} 6 € cl™(2?) } (universal signature analysis) 



M 



C S x S designate a data preorder on states such that for all s,s' e 
s' :iff cl*({M}) = cl*'(0), were M can be viewed as oracle 



input in addition to a's individual-knowledge base cl* (0) (cf. also [Kr 




• = a := <° designate an equivalence relation of state indistinguishability 
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• mRq ^ SxS designate a concretely constructed accessibility relation — 
short, concrete accessibility — for the proof modality such that for all 

s, s' e S, 

s M R C a s' riff s'£\J[S\= a 

S <Cu{a} S and 
M E Cl=(0) 

(iff there is s <G S s.t. s <¥u{ a } S and M G cl aW and s =o s ') 

Note that the data-mining operator cl a : 2 M — > 2^ is a compact closure 
operator, which induces a data-derivation relation h a C 2 M x such that 
T> h a M :iff M € cl a (X>), which (1) has the compactness and (2) the cut property, 

(3) is decidable in deterministic polynomial time in the size of T> and M , and 

(4) induces a Scott information system of information tokens M [Krai 2]. Fact 1 
establishes the knowledge-constructiveness of our Kripke-model for LiiP (cf. 
Definition 5). 

Fact 1 (Kripke-model knowledge-constructiveness). 

for all s' e <S, if s M Rf s' then (6, V), s' \= <f> if and only if 

for all s e S, if s <c u{a} s then (6, V),«h« K a{Jp, 

sufficient induced 
evidence knowledge 

where the standard epistemic modality K a is defined like in [MV07] as 

{e,V),s\=K a (cf)) :iff for all a' eS, if § = a s' then (6, V),s'\=<p. 
Proof. By elementary-logical transformations of the definiens of mR„ • □ 
Lemma 1. If s <f s' then s' <f s' . 

Proof. Consider that when s <f s' , M e <'(0), and thus <'({M}) = <'(0). 

□ 

Proposition 2 (Restricted reflexivity) . 

1. s < a a s (self -reflexivity) 

2. biconditional reflexivity: 

(a) s <™ s if and only if M G cl*(0) 

(b) s s if and only if there is s' e S such that s' <^f s 

Proof. For 1, consider that a E cl*(0), and thus cl*({a}) = cl*(0). For 2. a, 
inspect the proof of Lemma 1. For the forward-direction of 2.b, take s as s'; 
and for the backward-direction apply Lemma 1. □ 
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Proposition 3 (Self-symmetry). 

If s < a a s' then s' < a a s. 
Proof. By expansion of the definition of '<£' and the symmetry of equality. □ 
Proposition 4 (Generalised transitivity). 

If 8 <f s' and s' <f s" then s <( M > M ') s" . 
Proof. Let s,s'e5 and suppose that s <f s' and s' <£ f ' s". Thus: 

1. <({M}) = cl*'(0); thus M E cl*'(0), thus: 

(a) M e cl*'({M'}) by closure monotonicity (0 C {M 1 }), 

(b) elf (0) - ci:'({M}), thus <({M}) = <'({M}), and hence 
ci:({(M,M')}) = ci:'({(M,M')}); 

2. cl*'({M'}) = elf (0); thus M' e elf (0), thus elf (0) = elf ({M'», thus 
ci:'({M'}) = elf ({M'», and hence cl„'({(M, M')}) = elf ({(M, M')}). 

Hence: 

• Me cl„"(0) by l.a and the first assertion in 2 , thus (M, M') e elf (0) by 
the second assertion in 2 and pairing closure, thus cl„ (0) = cl* ({(M, M')}); 

. <({(M,M')}) - elf ({(M,M')» by l.b and 2. 

Hence cl*({(M, M')}) = elf (0), and thus s < ( a M ' M ^ s " by definition. □ 

Corollary 3 (Transitivity). 

If s < a s and s < a s then s < a s . 

Proof. Directly from Proposition 4 by the fact that cl*({(M, M)}) = cl„({M}). 

□ 

So as announced in Definition 3, is indeed a (non-reflexive) pre-order, 

and '<"' indeed an equivalence relation (cf. Proposition 2.i and 3). 

Definition 4 (Message ordering and equivalence). 

• M M' :iff if M G cl*(0) then M' E cl*(0) 

• M = s a M' :iff M M' and M' M 

• M \- a M' :iff for all s e S, M M ' 

• M = a M' :iff for all s e S, M = s a M' 

Fact 2. C M. x is a pre- but not a partial order. 
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Proposition 5 (Conditional stability). 

IfM= a M' then <f = <f. 

Proof. Suppose that for all s" eS, M G elf (0) if and only if M' e elf (0), and 
let s,s' e S. For the C-part, suppose that s <^ s' , i.e., cl*({M}) = cl*'(0), 
and thus M G elf (0). Hence: 

1. M' e cl* (0) by particularisation of the hrst hypothesis, and (M, M') e 
cl*'(0) by pairing closure; and thus cl„'({(M, M')}) = cl„'(0); 

2. M e cl*(0) if and only if M' e cl„(0) by particularisation of the first 
hypothesis, thus M G cl„({M'}) if and only if M' G cl„({M'}), thus 
M G dS({M'}), and thus <({M'}) = cl*({(M, M')}); 

3. <'({M}) = ci:'(0), thusci:'({M}) = <({M}), and thus ci:'({(M,M')}) = 
<((M,M')). 

Hence cl*({M'}) = cl*' (0) by 1, 2, and 3. And symmetrically for the D-part. □ 
Proposition 6 (Communal lifting). 

1- If C C C' £/ien <^ f C <£f (communal monotonicity) . 

2. If M € cl*(0) £/ien s <cu{ a } s (conditional reflexivity) . 

3. If M = a M' then <cu {a} = <cxi{a} (conditional stability). 

Proof. 1 follows directly from definitions, 2 from 1 and Proposition 2.ii.a, and 
3 from Proposition 5 and the definition of '<cu{ a j' and '<cu{ a j'- □ 

Proposition 7 (Signature property). 

Ifs<l m « s' thenM &c\i{%). 

Proof. Let s,s' G S and suppose that s < ( jj M ^ a s' . Thus there is 6 G C such 
that s <f M ^ a s'. Hence {[M]} a G cl£ (0) by biconditional reflexivity (cf. Propo- 
sition 2.ii.a). But then also M G cl* (0) by the unforgeability of signatures (cf. 
the closure conditions of personal/universal signature synthesis/analysis). That 
is, nobody else than a can have generated {[M]} a , and thus a also knows M. 
(Otherwise suppose that somebody else has, and derive a contradiction.) □ 

Corollary 4 (Concrete accessibility). 

I- IfCQC 1 then mRq ^= M^-a (communal monotonicity). 

2. If M = a M' then mRq = M'Rq (conditional stability). 

3. If M G cl*(0) then s mRq s (conditional reflexivity). 
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Table 1: Satisfaction relation 



(e,v),s\=p 


:iff 


S G V(P) 


(6,V),s|=^ 


:iff 


not (6,V),s |= 


(6,V),a h <M<A' 


:iff 


(6,V),s h= and (©,V),s N 0' 


(6,V),s|=M::^ 


:iff 


for all s' e 5, if s s' then (6, V), s' |= 



4- If s {[Mj^R-a s ' i/ien M e cl^ (0) (signature property). 

5. For allb € C U {a} 7 ({[M]} a Rh U ^ ° mRq) C (M,b)R-a (communal transitiv- 
ity). 

Proof. 1-4 follow by inspection of definitions and Proposition 6 and 7. For 5, 
suppose that b € CU{a} and let s, s', s" e S. Further suppose that s qm} R% U ^ 
s' and s' mRq s " ■ That is, (there is s E S such that s <cu{i}u{6} * and "ff-^Ha e 
cl£(0) and s = b s') and (there is s' € 5 such that s' <^ u{a} s' and M e cl„'(0) 
and s' = a s"). Hence, s <c^q} s by the first supposition and communal 
monotonicity (C U {a} U {b} = C U {a}), and also s <^ s' by definition (cf. 
second supposition). Hence consecutively, s <c u r a \ s ' by the first supposition 

and communal monotonicity ({6} C C U {a}), s <cfj!?\ ' 6 ^ s' by generalised 
transitivity, s <cu{a} a '^' M ^ s' by the third supposition and again generalised 
transitivity, s <^r„ } s' by conditional stability {(({M} a , b), M) = a (M,6)), 
and thus finally s (M,b)Ra s " by again the third supposition. □ 

Definition 5 (Kripke- model). We define the satisfaction relation l |=' for LiiP 
in Table 1, where 

• V : V — > 2 5 designates a usual valuation function, yet partially predefined 
such that for all a € .A and MgM, 

V(akM) :={se5|Me cl*(0) } 

(If agents are Turing-machines then a knowing M can be understood as a 
being able to parse M on its tape.) 

• & := («S, {M^o}MeM,oei,Cc^t) designates a (modal) frame for LiiP with 
an abstractly constrained accessibility relation — short, abstract acces- 
sibility — ^= S x S for the proof modality such that — the semantic 
interface: 

- if C C C then M^a C M^-a' 

- if M = a M' then M^-a = u>K 
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- if M £ cl*(0) then s M Tl c a s 




jjl e a s' then M £ 




for all b £ C U {a}, ({[m]}^ 



CU{a} 



• (6, V) designates a (modal) model for LiiP. 

Looking back, we recognise that Corollary 4 actually establishes the im- 
portant fact that our concrete accessibility mR„ hi Definition 3 realises all the 
properties stipulated by our abstract accessibility mR% in Definition 5; we say 
that 



Further, observe that LiiP (like LiP) has a Herbrand-style semantics, i.e., logi- 
cal constants (agent names) and functional symbols (pairing, signing) are self- 
interpreted rather than interpreted in terms of (other, semantic) constants and 
functions. This simplifying design choice spares our framework from the ad- 
ditional complexity that would arise from term- variable assignments [BG07], 
which in turn keeps our models propositionally modal. Our choice is admissible 
because our individuals (messages) are finite. (Infinitely long "messages" are 
non-messages; they can never be completely received, e.g., transmitting irra- 
tional numbers as such is impossible.) 

Theorem 3 (Axiomatic adequacy). h L iip is adequate for \=, i.e.,: 

1- */l~LiiP 4> then \— <p (axiomatic soundness) 

2. if\=(j) then b Lii p <p (semantic completeness). 

Proof. Both parts can be proved with standard means: soundness follows as 
usual from the admissibility of the axioms and rules (cf. Appendix A.l); and 
completeness follows by means of the classical construction of canonical models, 
using Lindenbaum's construction of maximally consistent sets (cf. Appendix A. 2) 



3 LiP as an extension of LiiP 

In this section, we reconstruct LiP syntactically, as a minimal conservative ex- 
tension of LiiP with one simplified and one additional axiom schema, as well as 
semantically, with a simplified semantic interface that has none of the a pos- 
teriori constraints from [Kral2] but only standard, a priori constraints, i.e., 
stipulations. 

Theorem 4. Define the LiiP-theory 



mR-o exemplifies (or realises) 



□ 



LiiP+ := 



C1({(M::^)->(M,M') 

S ' 



proof extension 
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where CI is as in Definition 2. Then LiiP + is isomorphic to LiP, in symbols, 

LiiP+ = LiP. 

In particular, the generalised Kripke law GK as mentioned before and below 
is deducible in LiiP + , and thus we need only stipulate the simpler standard 
Kripke law K for LiP, like for LiiP. Moreover, alternatively to adding the axiom 
schema of proof extension to LiiP, we could equivalently replace the primitive 
rule schema of epistemic bitonicity in LiiP with the stronger one of epistemic 
antitonicity. 

Proof. The isomorphism consists in simply switching between proof-modality 
notations, which in LiP is ' : ' and in LiiP + ' :: '. Then, as already mentioned on 
Page 7, LiiP and LiP differ in the following corresponding axiom and deduction- 
rule schemas: Kripke's law K versus the generalised Kripke-law GK, nominal 
peer review (NPR) versus plain peer review, and epistemic bitonicity versus epis- 
temic antitonicity — see below. Note that in the sequel PL abbreviates "(Clas- 
sical) Propositional Logic," and l~LiiP+ i s defined similarly to l~Liip. 

• GK (cf. Line 7) becomes deducible: 

1. h LiiP + (M :: c a (tp -> ft)) -> (M, M') :: c a (<j) -> ft) proof extension 

2. h LiiP+ ((M, M') , c a (cf, -+ ft)) -+ (((M, M') :: c a ft -+ (M, M') :: c a ft) K 

3. h LiiP+ (M »c (cf, -+ ft)) -+ (((M, M') :: c a ft -+ (M, M') :: c a ft) 1, 2 PL 

4. h LiiP+ (M 1 :: c a ft)^ (M' , M):: c a cf) proof extension 
5- l~LiiP+ (( M '> M ) :: a 4>) ^ { M , M ') :: a P roo f commutativity 

6. h LiiP+ (M' :: c a ft -+ (M, M>) :: c a 4, 5, PL 

7. h LiiP+ (M »c (cf, -+ ft)) -+ ((M> »c 0) -+ (M, M') »c 0') 3, 6, PL. 

• plain peer review (cf. Line 3) becomes deducible: 

1- KiiP+ AbecuM (( M :: a^)^ ( M > & ) :: a 0) P TOO / extension 

2- KiiP + A6e C u W ((( M > 6) M„ »6 U{ ° } (« k MAM :: c a 0))NPR 

3. h LiiP+ (M:^)^A ieCuW PLf a) («kMAM :: ^)) 1,2, 
PL. 

• epistemic antitonicity (cf. Line 8) becomes deducible: 

1. r- LiiP + akM ^ akM' hyp. 
2 - l~LiiP+ {{ M , M ') --a ft) ^ M :: c a cp 1, neutral proof elememts 

3. r- LiiP + (M' :: c a ft) -> (M' , M) :: c a cp proof extension 

4- l~LiiP+ ii M ', M ) --a 4>) ^ ( M ; M ') '-'-a 4> P r oof commutativity 

5. h LiiP+ (M>:: c a ft^(M,M>):: c a <f> 3, 4, PL 

6. h LiiP+ (M'::^)^M 2, 5, PL 
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7. if h LiiP+ akM^akM' then h LiiP+ (M 1 :: c a cj>) -> M :: c a (j) 1-6, PL 

8. {akM^akM'}h LiiP+ (AP :%</>) -t M <f> 7, def. 

Conversely, that is, assuming epistemic antitonicity, proof extension is directly 
deducible from jointly this assumption and (pair) left projection, like in LiP 
[Krai 2]. □ 

Corollary 5 (Simplified semantic interface for LiP). A simplified semantic 
interface for LiP is given by the one for LHP in Definition 5 but with the abstract 
accessibility mIZ^ C S x S being constrained 



such that 



if M C M' then M TZ^ C M'T^a (proof monotonicity) 



instead of being constrained by conditional stability; 
• or alternatively such that 



(M,M>)Ka ^ M^a (p air splitting) 



in addition to being constrained by conditional stability. 

Proof. It is straightforward to check that the semantic constraints of proof 
monotonicity and pair splitting correspond to the syntactic laws of epistemic 
antitonicity and proof extension, respectively, which are interdeducible (cf. The- 
orem 4). □ 



4 Conclusion 

We have proposed LiiP with as main contributions those described in Sec- 
tion 1.1. The notion of non-monotonic proofs captured by LiiP has the ad- 
vantage of being not only operational thanks to our proof-theoretic definition 
but also declarative thanks to our complementary model-theoretic definition, 
which gives a constructive epistemic semantics to these proofs in the sense of 
explicating what (knowledge) they effect in agents in the instant of their recep- 
tion, complementing thereby the (operational) axiomatics, which explicates how 
they do so. 

We conclude by mentioning [BRS12] as a piece of related work. There, the 
authors present a resource-bounded implicit-single-agent but dynamic logic of 
defeasible (and thus non-monotonic) evidence-based S4-knowledge, where they 
use a particular primitive Et for the implicit- agent's knowledge of evidence terms 
t. The authors' atomic proposition Et is a particular and strongly resource- 
bounded analog of my atomic proposition akM for an arbitrary agent a's knowl- 
edge of message terms M. Et is strongly resource-bounded in the sense that the 
term axioms for Et are axioms for term decomposition but not for term composi- 
tion. Similar restrictions could be made for a k M, but we opine that they would 
be too strong. At least some amount of term composition capabilities should 
be conceded also to resource-bounded agents. The authors' use of Et is crucial 
for their contribution, who know but must have accidentally not acknowledged 
the contribution of akM to Et. Sec [Krai 2] for historical references of my 
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uses of akM in logics of explicit evidence/justification/proof. The addition of 
atomic propositions akM to languages of explicit evidence/justification/proof 
will probably play a similarly important role as the addition of atomic proposi- 
tions x G S to the language of first-order logic (resulting in Set Theory). 
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A Axiomatic-adequacy proof 

A.l Axiomatic soundness 
Definition 6 (Truth & Validity [BvB07]). 

• The formula </> £ C is true (or satisfied) in the model (6, V) at the state 
s £ S :iff (6,V),s \= <f>- 

• The formula <f> is satisfiable in the model (6,V) :iff there is s £ S such 
that (6, V),s \= <j>. 

• The formula <j) IS globally true (or globally satisfied) in the model (&,V), 
written (©, V) |= 4>, :iff for all s £ S, (6, V), s \= <f>. 

• The formula cf) is satisfiable :iff there is a model (S, V) and a state s £ S 
such that (&,V),s \= cf). 

• The formula <p is valid, written |= <p, :iff for all models (6, V), (&, V) \= <fi. 
Proposition 8 (Admissibility of LiiP-specific axioms and rules). 

1. \= a ka 

2. \=akM -> ak^M} a 
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3. \= a k {M} b -> a k (M, b) 



4. \= (akMAakM') ak(M,M') 

5. \= (M »c (0 -+ <//)) ^ ((M ::S 0) -+ M 0') 

6. h (M -> (akM^^) 

7- h A beCuW (W, b) :: c a <f>)^ l M l a ^ U{Q} (a k M A M ::^)) 

5. |=(M::S uC '0)^M::^ 

JO. If\= akM akM' then \= (M:: c a 4>) O M' :: c a (p. 

Proof. 1-4 are immediate; 5 and 9 hold by the fact that LiiP has a standard 
Kripke-semantics; 6 follows directly from the conditional reflexivity of 1 mR^\ 
8 directly from the communal monotonicity of \{R9 a \ and 10 directly from the 
conditional stability of 1 mR^ 1 . Finally, 7 follows jointly from the signature and 
the communal-transitivity property of 'm^' — as follows: let (6, V) designate 
an arbitrary LiiP-model and let seS. First, let b e C U {a} and suppose that 
(6, V),s |= (M, b) <j). Second, let s' e S and suppose that s 7£j U * a * s'. 

Hence M e cl* (0) by the signature property, and thus (&,V),s' \— akM by 
definition. Third, let s" € S and suppose that s' mR% s" . Hence, s (m,6)^o s " 
by the first, second, and third supposition and communal transitivity. Hence 
(6, V), s" |= by the first supposition. Thus (6, V), s' |= M :: c a by discharge of 
the third supposition. Hence (6,V),s' ^okJtfAM::^ f Finally, consecutively 
discharging the remaining three suppositions, (6, V), s \— {[M]} a ::£ U ^ (akM A 
M:: c a cj>\ then (G,V),s |= ((M,6)::^) -+ {M} a ::£ u{a} (a k M A M 0), and 
then (6, V), * h A be cu {a} (((M, b) :: c a <f>)^ {M} a :: C b u{a} (akM A M , c a 0)). 

□ 



A. 2 Semantic completeness 

For all 4> e C, if |= then Klup 0. 
Proof. Let 

• W designate the set of all maximally LiiP-consistent sets 4 

4 * A set W of LiiP-formulas is maximally LiiP-consistent :iff W is LiiP-consistcnt and W 
has no proper superset that is LiiP-consistent. A set W of LiiP-formulas is LiiP-consistent 
:iff W is not LiiP-inconsistent. A set W of LiiP-formulas is LiiP-inconsistent :iff there is a 
finite W C W such that ((A W) — > -L) £ LiiP. Any LiiP-consistent set can be extended to a 
maximally LiiP-consistcnt set by means of the Lindcnbaum Construction [Fit07, Page 90]. A 
set is maximally LiiP-consistcnt if and only if the set of logical-equivalence classes of the set is 
an ultrafilter of the Lindcnbaum- Tarski algebra of LiiP [Ven07, Page 351] . The canonical frame 
is isomorphic to the ultrafilter frame of that Lindenbaum- Tarski algebra [Vcn07, Page 352], 
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• for all to, to' 6 W, to mC£ w' :iff { 4> £ £ \ M :: c a 4> £ w } C to' 

• for all to £ W, to G V C (P) :iff Pew. 

Then OT C := (W,{mC£} M 6A1 oe^.cc^jVc) designates the canonical model for 
LiiP. Following Fitting [Fit07, Section 2.2], the following useful property of 9Jtc, 



for all <^ G £ and u> G W, </> € w if and only if 9Jtc, to \= <f), 

the so-called Truth Lemma, can be proved by induction on the structure of ft. 

1. Base case (4> := P for P £ V). For all w £ W, P € to if and only if 
97tc, to ^ P, by definition of Vc- 

2. Inductive step (</> := -k// for ft £ C). Suppose that for all to G W, ft £ w 
if and only if 9Jtc,w> |= 0'- Further let w £ W. Then, e w if and 
only if ft g w — u; is consistent — if and only if 9Jtc, iu ^= 0' — by the 
induction hypothesis — if and only if SUlc, to |= -i</>'. 

3. Inductive step (0 := ft A 0" for ft , 0" G £). Suppose that for all w £ W, 
ft £ w if and only if 9Jtc,w |= ft, and that for all w £ W, </>" S w if 
and only if 9Jt c ,w h <f>" ■ Further let w £ W. Then, ft A 0" £ w if 
and only if (ft e to and ft' e to), because to is maximal. Now suppose 
that ft £ w and ft' £ w. Hence, 9Jtc,w |= ft and 3Jlc,w |= </>", by the 
induction hypotheses, and thus StJlc, w |= (f)' A<j>". Conversely, suppose that 
m c , w \= ft A 0". Then, 9Jt c , w \= ft and 9Jl c ,w\= ft'. Hence, f £id and 
ft' £ to, by the induction hypotheses. Thus, (ft £ w and ft' £ w) if and 
only if (Mc,w \= ft and Ttc, to \= ft'). Whence ft A ft' £ w if and only if 
(9Jlc,w |= ft and DJIq, w \= ft'), by transitivity. 

4. Inductive step (4> := M :: c a ft for M £ M, a £ A, C C .4, and 0' G £). 



4.1 


for all w £ W, ft £ to if and only if 931c, w \= ft 


ind. hyp. 


4.2 


w £W 


hyp. 


4.3 


M:: c a ft £ w 


hyp. 


4.4 


to' e W 


hyp. 


4.5 


to mC£ io' 


hyp. 


4.6 


{ 0" G £ | M:: c a ft' £ to } C w' 


4.5 


4.7 


ft £ { ft' ££ 1 M g «, } 


4.3, 4.6 


4.8 


0' G «/ 


4.6, 4.7 


4.9 


OJtcffl' |=0' 


4.1, 4.4, 4.8 


4.10 


if to mC^ to' then 0JI C , to' (= ft 


4.5-4.9 


4.11 


for all i</ G W, if to mC^ u/ then 97l c , w' h 0' 


4.4-4.10 


4.12 


0rtc,«;|=M::C^ 


4.11 


4.13 




hyp. 
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4.14 T = { fa' € C | M :f a fa' e tu } U {-.<£'} hyp. 

4.15 J 7 is LiiP-inconsistent hyp. 

4.16 there is {M :: c a fa, . . . , M :: c a fa} C w such that 

h LiiP A . . . A fa A -,«£') -> _L 4.14,4.15 

4.17 {M::^ 1 ,...,M::^ n }C W )and 

KiiP (01 A ... A fa A -nfa) -> _L hyp. 

4.18 h LiiP (fa A ... A fa) 0' 4.17 

4.19 h LiiP (M (^i A ... A </.„)) -> M 0' 4.18, regularity 

4.20 h LiiP ((M:: c a fa)A...A(M:: c a fa))^M:: c a fa 4.19 

4.21 M:: c a (j}' ew 4.17,4.20, w is maximal 

4.22 false 4.13, 4.21 

4.23 false 4.16, 4.17-4.22 

4.24 T is LiiP-consistcnt 4.15-4.23 

4.25 there is w' D T s.t. w' is maximally LiiP-consistent 4.24 

4.26 T C w' and w' is maximally LiiP-consistent hyp. 

4.27 {fa'eC\ M:: c a fa' ew}C T 4.14 

4.28 {fa' e£ \ M-.-Cfa' ew}C w 1 4.26, 4.27 

4.29 w mCZ w' 4.28 

4.30 w' e W 4.26 

4.31 -.0' e J 7 4.14 

4.32 -.0' e tu' 4.26, 4.31 

4.33 0' g w' 4.26 (to' is LiiP-consistent), 4.32 

4.34 m Cl w'\^4>' 4.1,4.33 

4.35 there is w' e W s.t. w mC^ w' and M c ,w' ^ 0' 4.29, 4.34 

4.36 9tt c ,w ^ M::£0' 4.35 

4.37 97l c , w ^ M 0' 4.25, 4.26-4.36 

4.38 9Jt c ,™ V= M:: c a fa 4.14-4.37 



4.39 M:: c a fa e w if and only if M c ,w \= M:f a fa 4.3-4.12,4.13-4.38 

4.40 for all w e W, M ::^ 0' e w if and only if M c , w \= M :: c a ^'4.2-4.39 

With the Truth Lemma we can now prove that for all <fi € C, if 1/LiiP then 
^ 0. Let </> e £, and suppose that I/lup 0- Thus, {-></>} is LiiP-consistent, and 
can be extended to a maximally LiiP-consistent set w, i.e., ->(f> & w e W. Hence 
9Jl c ,w h by the Truth Lemma. Thus: 9Jt c ,w ^= 0, 9rt c ^ 0: and ¥= <t>- 
That is, 9Jtc is a universal (for a// e £) counter-model (if is a non-theorem 
then 9Jtc falsifies 0). 

We are left to prove that DJlc is also an LiiP-model. So let us instantiate our 
data mining operator cl a (cf. Page 10) on W by letting for all w e W 

msgs a (w) := { M | akM € w }, 
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and let us prove that: 

1. ifCCC then MC c a C A ,,C c a ' 

2. if M = a M< then ^ = M C c a 

3. ifMGcl™(0) thcnwMCfw 

4. if «; w C c a to' then M G cl^'(0) 

5. for all b G C U {a}, ( flM} c£ u{a} o mC^) C (Mi6 pC. 

For (1), let C C A and suppose that C C C . That is, C U C = C. Further, let 
to, w' G W and suppose that to jwC^ to'. That is, for all <f> G £, if M G to 
then G to'. Furthermore, let G £ and suppose that M :f a 4> G to. Thus 
M::^ uC G w by the first supposition. Since w is maximal, 

(M ::^ uC ' 0) -> M ::£ G to (group decomposition). 

Hence M ::^ cf> G to by modus ponens, and thus £ to' by the second supposition. 

For (2), suppose that M = a M' . That is, for all w G W, M G cl™(0) if and 
only if M' G cl™(0). Hence for all w G W, a k M G to if and only ifakM'ew 
due to the maximality of to', which contains all the term axioms corresponding 
to the defining clauses of cl™ . Hence for all w G W , 9Jtc , w |= a k M if and only if 
Tie, w |= a k M', by the Truth Lemma. Thus for all w G W, 2t c , to (= a k M <-» 
akM'. Hence for all w G W, a kM «-» a kM' G tu by the Truth Lemma. Hence 
the following intermediate result, called IR, 

for all w G W and G £, (M ::£ 0) <-> M' ::£ G to, 

by epistemic bitonicity. Further, let w, w' G W. Hence, 

• w mC^ w' by definition if and only if 

• (for all <j> G £, if M \: c a <j> G to then G to') by IR if and only if 

• (for all <j> G £, if M' ::£ (f> G to then G w') by definition if and only if 

• w M& C a w'. 

For (3), let to G W and suppose that M G cl„(0). Hence akM G to due to 
the maximality of to, which contains all the term axioms corresponding to the 
defining clauses of cl™. Further suppose that M (j) <= w - Since to is maximal, 

(M ::£ 0) -> (a k M -> 0) G 10 (epistemic truthfulness). 

Hence, akM — > G w, and G to, by consecutive modus ponens. 

For (4), let to, to' G W and suppose that to {[mj C„ to'. That is, for all (f> G £, 
if {[M]} b G to then G to'. Since to is maximal, 

{M]} 6 ::^ u{b} b k M G to (authentic knowledge) 
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and 



(l M lb ■■■ C a U{b} bkM) -> \M} b :: c a bkM e w (group decomposition). 

Hence, {[MJ} 6 :f a bkM <G w by modus ponens, bkM £ w' by particularisation of 
the supposition, and thus M € cl^ 1 (0) by the definition of cl™ . 

For (5), suppose that b e C U {a} and let w,w',w" € 5. Further suppose 
that to {[M]} a Cfc U{a} it/ (i.e., for all e C, if {M} a ::£ u{a} e 10 then E w') 
and w' MC c a w" (i.e., for all </> G £, if M ::^ e w' then rf> £ w"). Furthermore 
suppose that (M, b) :f a <j) e w. Since w is maximal, 

((M,b):: c a t)^lM} a 4 U{a} (M::^) ew , 

as a direct consequence of nominal peer review and then the first supposition. 
Hence, applying modus ponens consecutively, {[M]} a ::^ u ^ (M :f a <j>) <G w by the 
fourth supposition, M :: c a <p <E w' by particularisation of the second supposition, 
and finally <f> e w" by the third supposition. □ 

B Application examples 

With the simple but powerful language of LiiP, we can concisely express other- 
wise difficult to formalise security requirements such as those arising in Access 
Control (cf. [And08, Chapter 4]) and Data-Base Privacy (cf. [And08, Chap- 
ter 9]). 

B.l Access Control 

According to [And08, Chapter 4]: 

Access control is the traditional center of gravity of computer 
security. It is where security engineering meets computer science. 
Its function is to control which principals (persons, processes, ma- 
chines. . . ) have access to which resources in the system — which 
files they can read, which programs they can execute, how they share 
data with other principals, and so on. 

"Principals" and "resources" mean "agents" in our terminology. Access rights 
can be specified by application-specific access-control policies $; and specific 
access is then granted when certain access-authorisation credentials C are pre- 
sented. These credentials are examples of application-specific base data B 
(cf. Definition 1), whose validity typically is, first, temporary and thus non- 
monotonic as in the case of one-time credentials and credentials revokable by 
other, so-called revocation credentials, and, second, restricted to certain agent 
communities C C A. Conceptually, an access-control policy can be understood 
as a set <& of implicational laws <j> that together with elementary access-right 
facts P constitutes a Horn-logical (cf. Prolog) or even an efficiently decidable 
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Datalog theory. In LiiP, we can formalise each elementary access-right fact as 
an application-specific atomic proposition P € V. An example of such a fact 
is that an agent a may write-access resource r guarded by a different agent 
6 (acting thus as a reference monitor), which we can formalise as an atomic 
proposition Pi := maywrite(a, r, b). Thus we can let C := {a, b} C {a, r, b} C A. 
Naturally, agent a may then also read resource r guarded by agent b, i.e., 
<pi := (maywrite(a, r, b) — > mayread(a, r, b)). Et cetera up to <j> m and P n for 
some natural numbers m, n G N. Now, define the resulting access-control policy 
as $ := {4>i}i<i<m , the resulting access-control LiiP-theory over $ as 

LiiP $ := Cl($) 

(where CI is as in Definition 2), and h-mp^, similarly to l~Liip. Whence the 
following instance of a direct consequence of nominal peer review 

1-LiiP* ((C, b) :: c a maywrite(a, r, b)) -> {C"} a maywrite(a, r, &) 

and the following instance of epistemic truthfulness 

l-LiiP^, (W a maywrite(a,r,6)) -> (fek{[C]} a -> maywrite(a, r, 6)) . 
Hence by transitivity of logical implication, 

l"LiiP* ((C, 6) ::^ maywrite(a, r, b)) -> (6 k {[C]} a -> maywrite(a, r, 6)) . 

This means that if it is commonly accepted in C that (C, 6) can prove to (and 
thus inform) a that a may write-access r guarded by b, then if further b knows 
{[C]} a (through a presenting {[C]} a to 6, since only a can generate her own 
signature), then indeed a may write-access j — and the guard b knows that (due 
to Fact 1) and thus will grant a the requested access. Actually b will also grant 
a read-access since according to the policy $, write access implies read access: 

KiiP 4 ((C, b) »c maywrite(a, r, &)) -+ (6 k flC]} a -+ 
(maywrite(a, r, b) A mayread(a, r, 6))) . 

Note that we could refine our arguably rough policy $ with respect to agent 
roles and thus specify a refined policy <&'. For example, we could specify that 
$ C <J>' and that for all x, y € C, guest(x) e "P and host(y) e P as well as 
((guest(a;) A host(y)) -> mayread(x, r, y)) e (host(y) -> maywrite(y, r, y)) £ 
M cetera. Orthogonally to agent roles, we could refine $ with respect 
to agent clearances and corresponding resource classifications (cf. Information 
Flow Control [And08, Section 8.3.1-2]) and thus specify a refined policy 
For example we could specify that $ C $" and that for all a e A (and thus 
for all resources r), topsecret(a), secret(a), confidential (a), unclassified (a) £ P as 
well as (topsecret(a) -> secret(a)) e (secret(a) -> confidential(a)) e 
((topsecret(a) 

A topsecret(r)) — > maywrite(a, r, 6)) e <f>", and ((topsecret(a) A (secret(r) V 
confidential(r) V unclassified(r))) -> mayread(a, r, 6)) e <&". M cetera for other, 
so-called no-read-up and no-write-down/up requirements. 
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B.2 Data-Base Privacy 



An important example of a resource is a relational data-base, say a medical 
data-base d, over application-specific atomic pieces of content data B (cf. Defi- 
nition 1). Note that d typically evolves, whence the point of non-monotonicity. 
Then, each unary relation in the data-base d can be understood as a finite 
(sub)sct of content data B, each binary relation as a finite set of ordered pairs 
(B, B') of data B and B', each relation of higher finite arity as a finite set of 
such pairs of pairs, and the content of d as a finite set of such relations (finite 
sets). Finally, finite sets can be coded as data pairs and thus the entire content 
V of d can be understood as a subset of M. over the atomic data B. Now, 
data-base privacy with respect to the data-base d means that certain agents a 
must not be able to infer certain facts <j) from d (cf. Inference Control [And08, 
Section 9.3]). In order to meet this privacy requirement, certain atomic data B 
in T> arc blinded (e.g., replaced by some dummy datum), resulting in a new, par- 
tially blinded content T>' C M. 1 . The privacy requirement can now be formalised 
in the language of LiiP by simply stipulating that for all M e M' , 

The requirement could be proved by induction over the well-structured data. 
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